2 May 2016

Telegram – HTTP over HTTPS

When
we think about instant messaging, we think about WhatsApp and
Telegram. Today I want to write about Telegram, an
application that got popularity after the PRISM
project was known and after
WhatsApp was unavailable in 24th of February 2014, and
particularly I want to write
about a behavior that I don't really understand very well. It is said
that Telegram is highly secure and this is the reason why ISIS
uses Telegram, because they can
send secret messages without any tracking but
we are going to see that everything isn't encrypted.

Telegram uses MTProto or Mobile
Transport Protocol which was released in 2013 by Digital
Fortress and it is different from the XMPP protocol. MTProto uses
SHA-1 algorithm to encrypt secret messages and XOR-128 for digital
sign. In addtion, Diffie-Hellman protocol is used to get session
keys. However, what it is weird for me is how Telegram Mobile Apps
send POST request in plaintext over the HTTPS port to Telegram
servers where we can also see what API is used by the user. Is this
useful for an attacker? Maybe yes.

In fact, I have realised about this, looking and analysing an alarm
in the Ariolo Probe
which detected a network anomaly because there were HTTP traffic over
the HTTPS port. In a deep analysis, we can see that the destination
IP is from the Telegram company, and POST actions are sent in
plaintext to Telegram servers through HTTPS (tcp/443) port. What is
this?

Ariolo Probe Alarms

Alarm HTTP over HTTPS

Next, I downloaded the wireshark pcap to analyse thoroughly this
behavior and we can even see the API identifier that the user is
using. Is this information useful?

Analysis with Wireshark

According to Telegram, this kind of connection is made to send
messages:

POST from Telegram

I don't know if this is the normal behavior but I don't think so.
Meanwhile, we can use other instant messaging applications to protect
our communications like Signal
Private Messenger or Cryptocat.

Regards
my friends and
remember, drop a line with the first thing
you're thinking.